Posts tagged: Trojan Horse

The home Trojan-banker known as Shylock has just been updated with new functions. According to the CSIS Security Group, during an investigation, researchers found that Shylock is now capable of spreading using the popular Voice over IP service and software application, Skype.

The program was discovered in 2011 that steals online banking credentials and other financial information from infected computers. Shylock, named after a character from Shakespeare’s “The Merchant of Venice”.

Shylock is active in only a few parts of the world. The epicenter of infections is primarily located in the UK.

The Skype replication is implemented with a plugin called “msg.gsm”. This plugin allows the code to spread through Skype and adds the following functionality:

A new Distributed Denial of Service (DDoS) crimeware bot known as “Zemra” and detected by Symantec as Backdoor.Zemra. Lately, this threat has been observed performing denial-of-service attacks against organizations with the purpose of extortion. Zemra first appeared on underground forums in May 2012 at a cost of €100.

This crimeware pack is similar to other crime packs, such as Zeus and SpyEye, in that is has a command-and-control panel hosted on a remote server. This allows it to issue commands to compromised computers and act as the gateway to record the number of infections and bots at the attacker’s disposal.

Similar to other crimeware kits, the functionality of Zemra is extensive:

256-bit DES encryption/decryption for communication between server and client

DDoS attacks

Device monitoring

Download and execution of binary files

Installation and persistence in checking to ensure infection

Propagation through USB

Self update

Self uninstall

System information collection

However, the main functionality is the ability to perform a DDoS attack on a remote target computer of the user’s choosing.

Initially, when a computer becomes infected, Backdoor.Zemra dials home through HTTP (port 80) and performs a POST request sending hardware ID, current user agent, privilege indication (administrator or not), and the version of the OS. This POST request gets parsed by gate.php, which splits out the information and stores it in an SQL database. It then keeps track of which compromised computers are online and ready to receive commands.

Inspection of the leaked code allowed us to identify two types of DDoS attacks that have been implemented into this bot:

HTTP flood

SYN flood

Symantec added detection for this threat under the name Backdoor.Zemra, which became active on June 25, 2012. To reduce the possibility of being infected by this Trojan, Symantec advises users to ensure that they are using the latest Symantec protection technologies with the latest antivirus definitions installed.

A new configuration of the Carberp Trojan that targets Facebook users to commit financial fraud. Unlike previous Facebook attacks designed to steal user credentials from the log-in page, this version attempts to steal money by duping the user into divulging an e-cash voucher.

Carberp replaces any Facebook page the user navigates to with a fake page notifying the victim that his/her Facebook account is “temporarily locked”. The page asks the user for their first name, last name, email, date of birth, password and a Ukash 20 euro (approximately $25 US) voucher number to “confirm verification” of their identity and unlock the account. The page claims the cash voucher will be “added to the user’s main Facebook account balance”, which is obviously not the case. Instead, the voucher number is transferred to the Carberp bot master who presumably uses it as a cash equivalent (Ukash provides anonymity similar to that offered by cash payments), thus effectively defrauding the user of 20 euro/$25.

This clever man-in-the-browser (MitB) attack exploits the trust users have with the Facebook website and the anonymity of e-cash vouchers. Unlike attacks against online banking applications that require transferring money to another account which creates an auditable trail, this new Carberp attack allows fraudsters to use or sell the e-cash vouchers immediately anywhere they are accepted on the internet.

Attacking social networks like Facebook provides cybercriminals with a large pool of victims that can be fairly easily tricked into divulging confidential account information, and even, as illustrated in this case, giving up their cash. With the growing adoption of e-cash on the internet, we expect to see more of these attacks. Like card not present fraud, where cybercriminals use stolen debit and credit card information to make illegal online purchases without the risk of being caught, e-cash fraud is a low risk form of crime. With e-cash, however, it is the account holder not the financial institution who assumes the liability for fraudulent transactions.

OSX/Tsunami.A, an IRC controlled backdoor Trojan for Mac OS X, has been discovered that enables the infected machine to become a bot for Distributed Denial of Service (DDoS) attacks.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel. The list of accepted commands can be seen in the following comment block from the C source code of the Linux variant.

In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

An emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.

What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.

What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name

File Size

MD5

jminet7.sys

24,960 bytes

0eecd17c6c215b358b7b872b74bfd80

netp191.pnf

232,448 bytes

b4ac366e24204d821376653279cbad8

netp192.pnf

6,750 bytes

94c4ef91dfcd0c53a96fdc387f9f9c3

cmi4432.sys

29,568 bytes

4541e850a228eb69fd0f0e924624b24

cmi4432.pnf

192,512 bytes

0a566b1616c8afeef214372b1a0580c

cmi4464.pnf

6,750 bytes

e8d6b4dadb96ddb58775e6c85b10b6c

<unknown>(sometimes referred to as keylogger.exe)

85,504 bytes

9749d38ae9b9ddd81b50aad679ee87e

nfred965.sy

24,960 bytes

c9a31ea148232b201fe7cb7db5c75f5

nred961.sys

unknown

f60968908f03372d586e71d87fe795c

adpu321.sy

24,960 bytes

3d83b077d32c422d6c7016b5083b9fc

iaStor451.sys

24,960 bytes

bdb562994724a35a1ec5b9e85b8e054f

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.

Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.